Adobe tackles critical code execution vulnerabilities in Acrobat, Reader

This month’s security update fixes a variety of critical and important bugs in the software.
Written by Charlie Osborne, Contributing Writer

Adobe's latest security update has tackled a set of critical and important bugs in Acrobat and Reader.

On Tuesday, the company issued its standard monthly round of fixes, the majority of which relate to the popular PDF viewing and editing software. 

In total, 26 vulnerabilities have been resolved, 11 of which are deemed critical and could lead to remote code execution. 

The patches have been created for Acrobat DC, Acrobat Reader DC, Acrobat and Classic 2020, Acrobat Reader 2020, Acrobat/Reader 2017, and Acrobat/Reader 2015 on Windows and macOS machines. 

See also: Adobe releases Acrobat web experience for Box platform

Two critical vulnerabilities (CVE-2020-9693, CVE-2020-9694) are out-of-bounds write security flaws that lead to arbitrary code execution if exploited. Two further critical bugs (CVE-2020-9696, CVE-2020-9712) are security bypass problems that can be exploited to circumvent existing security controls. 

Arbitrary code vulnerabilities account for seven of the critical vulnerabilities resolved in the Acrobat and Reader update. The first five (CVE-2020-9698, CVE-2020-9699, CVE-2020-9700, CVE-2020-9701, and CVE-2020-9704) are buffer issues, whereas the remaining two (CVE-2020-9715, CVE-2020-9722) are use-after-free flaws that can also lead to arbitrary code execution in the context of the current user. 

The important vulnerabilities range from sensitive data exposure, security bypass, stack exhaustion, and out-of-bounds read problems. Adobe says that if exploited, these issues could result in memory leaks to information disclosure and application denial-of-service.  

CNET: How China uses facial recognition to control human behavior

In addition to the main security update, the tech giant also fixed a single vulnerability in Lightroom Classic, versions and earlier, on Windows machines. Tracked as CVE-2020-9724, the insecure library loading issue could be abused for privilege escalation purposes. 

It is recommended that users accept automatic updates to apply the new set of patches. 

Adobe thanked researchers from Fortinet's FortiGuard Labs, Qihoo 360, Offensive Security and iDefense Labs, and Palo Alto Networks, among others. 

TechRepublic: How companies are getting employees to take vacation this summer rather than hoard PTO

In July, Adobe released an out-of-band patch to resolve 13 vulnerabilities -- 12 of which deemed critical -- impacting Photoshop, Prelude, and Bridge. The fixes relate to out-of-bounds read and write issues leading to arbitrary code execution attacks. 

Over Patch Tuesday, Microsoft released a massive security update tackling 120 vulnerabilities. In total, 17 vulnerabilities are considered critical, and two are considered zero-day vulnerabilities that are being actively exploited in the wild.  

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards